As organizations continue to struggle with the costs associated with achieving and maintaining regulatory compliance, many CIOs and CFOs are pursuing ways and means to reduce these costs and improve core business processes.
One way to meet this goal is through a governance, risk and compliance (GRC) program designed to build in an enterprise-wide, risk-based approach to managing key controls across several regulations. Several areas of opportunity for improvement are:
The potential of ERP implementations have not been fully leveraged for compliance and controls.
Many "legacy" key controls are cumbersome, manual, largely costly, inefficient and have deteriorated over time.
Monitoring is more often non-existent, understaffed, or overlooked so that control weaknesses go unnoticed and become chronic failures.
Compliance leaders have begun to realize that it is time to determine how to implement controls and monitoring capabilities within their existing financial, operational, technology and regulatory processes:
Controls are most effective when embedded within regular day-to-day management reporting and decision-making processes.
Address the right risks with the right controls and automate the monitoring of controls.
Integrate compliance and business control requirements into a single control framework to provide all stakeholders with a single tool to manage risks.
Controls exist within business process to mitigate business risk.
Cost effectiveness and control environment maturity can be improved as the compliance framework moves from fragmented and inconsistent to embedded or "baked in" to the underlying business activity. Otherwise key controls are "brushed on" and are a disparate function from the business itself. Below are several points to consider as decisions are made about risk and controls and costs of compliance.
1. Does the organization have a defined enterprise risk management (ERM) program?
There are a myriad of regulations and risks today facing the average public company, with stiff consequences for non-compliance, often overlapping.
2. Are there appropriate compliance awareness programs? Have roles and responsibilities been clearly communicated?
Most employees will do what is expected if they truly understand what is expected. Compliance must be a cultural priority. Don't assume knowledge of controls exists.
3. How does the organization use technology to streamline and monitor controls?
Common approaches by process, system and by department can be used to reduce the variations in how controls are implemented. Simplify and evolve controls and objectives.
Control owners exist in all parts of the business and often have shared responsibilities for compliance. As control maturity increases, ownership spreads across the enterprise and compliance becomes embedded into the very culture of the business.
One very important undertaking is for the organization to evaluate the maturity of its overall control landscape. Some controls are now outdated and can be made less costly and more efficient by a design overhaul. Moving older manual controls into newer automated and/or preventative controls results in a lot less management intervention for control execution, making it easier to stay ahead of the compliance curve. Depending on the appetite for risk and change, a yearly assessment of all key controls should be conducted to maintain costs and increase the chances for success throughout the audit year.
Only registered users can write comments. Please login or register.